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1. INTRODUCTION 

1.1. CONCEPT 

EAGLE core technology by AMESYS is designed to help Law Enforcement 
Agencies and Intelligence organization to reduce crime levels, to protect 
from terrorism threats and to identify new incoming security danger. 




EAGLE Interception System can be decomposed in distinct parts: 

> The Probe capturing the traffic 

> The Data Centre for classification and storage 

> The Monitoring Centres 
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1 . 2 . Features 

EAGLE system will retrieve the complete protocol information from the Call 
Data Record (CDR) and all the attached documents for the following 
network protocols: 

> Mail 

- SMTP 

- POP3 

- IMAP 

> Webmails 



- Yahoo! Mail Classic and Yahoo! Mail v2 

- Hotmail vl and v2 

- Gmail 

> VoIP 

- SIP / RTP audio conversation 

- MGCP audio conversation 

- H.323 audio conversation 

> Chat 

- MSN Chat 

- Yahoo! Chat 

- AOLChat 

- Paltalk 

> Http 

> Search Engines 



- Google 

- MSN Search 
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- Yahoo! 

> Transfers 



- FTP 

- Telnet 
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1.3. COMPONENTS AND TERMINOLOGY OF THE MMI 

The EAGLE's Man-Machine Interface (MMI) is made of a logo, a toolbar 
including three modules and a workspace changing according to the 
selected module. The diagram below illustrates the components and the 
terminology used by the MMI: 



Filter f unction Search Directivestab No-lnterest popup Wamingspopup 




In addition, various Status message can be displayed. Their colour follows a 
convention: 

> Greerr. requested action is successful 



Matches found 



> Yellow : you missed an action 
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At least 2 suspects are needed, sorry. 



> Red\ unsuccessful action or specific attention is required 



Cannot change password 
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2.MENUS DESCRI PTION 

When you switch-on your computer or launches Mozilla Firefox by clicking 
on its icon, the window shown below appears: 



Enter your login and password, and click the "Login" button to access to the 
EAGLE's MMI. 

^ ^ To display more content on the screen, EAGLE's MMI use Full Screen 
mode. Full Screen mode condenses the Firefox's Toolbars into one 
small toolbar. To disable Full Screen mode, simply press Fll as indicated 
on the yellow information message. 



EAGLE 





Login: joperator 



Password: !•••• 
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/d\ 



2.1. Home(WEL) 

The "Home (WEL)" module displays the logo of the EAGLE system and the 
current version of the MMI. 



Mew Interception 
Manager (NIM) 

v unUNcatched 

NI t l¥ 

GSl 

*, Personal Information 
/ Management (PIM) 



Click on the " Logout " button to close your access to the MMI and then close 
Firefox and shutdown your computer. 



This document is AMESYS property. It cannot be copied nor communicated to a third party without AMESYS written authorization. 




Welcome to the Eagle User Interface 




UI version 5.0.2 
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2.2. New Interception Manager (NIM) 

The " New Interception Manager ( NIM )" module contains the different 
Process Folders (OC, GS, NI or Uncatched) allocated to you by your 
Superuser. 




Once you have selected a Process Folder > you can hide the modules 
by clicking on the □ button, to enlarge your workspace. 
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2.2.1. Search Directives Tab 

The "Search Directives " tab list chronologically the orders coming from the 
Superuser for each Process Folder. They include a " Note " and the 
"Timestamp" (date and time) of its emission. 

Search Directives | All | All\Http | Mail | VoIP | Chat | Search Engine | Http | Transfer | I 



Search directives for 



Timestamp 


Note 


I 06/10/08 11:07:10 


1 



Selected folder: 



^ Check regu\ar\y the "Search Directives" to be up-to-date of the 
Superuser's orders. 
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2.2.2. Pre-classified interception Tabs 



The pre-classified interception tabs, "All", "AII\Http" (all interceptions except 
Http), " Mail ", " VoIP ", " Chat ", " Search Engine", "Http" and " Transfer " list the 
interceptions by category. 



Search Directives AB | AII\Http | Mail | VoIP | Chat | Search Engine | Http | Transfer | tJ 

| All categories H 

All in 



\+*\ + I Page 8 



Status 




Category 


Relevance Note 


Detail 




Zero 


Mon, 10 Nov 08 11:53:53 +0000 


Webmail 


no interest 


elye 


N 


Poor 


Mon, 10 Nov 08 11:04:34 +0000 


Webmail 




moi 


\ 


Zero 


Mon, 10 NOV 08 10:18:29 +0000 


Webmail 


empty 


bac 


/■ \ 

N 


Zero 


Mon, 10 Nov 08 10:17:18 +0000 


Webmail 


empty 


bac 


N 


Zero 


Mon, 10 Nov 08 09:10:01 +0000 


Webmail 


empty 




\ 


Zero 


Mon, 10 NOV 08 09:07:49 +0000 


Webmail 


empty 


ska 


\ 


Zero 


Mon, 10 NOV 08 08:07:07 +0000 


Webmail 


empty 




\ 


Zero 


Sun, 09 Nov 08 21:10:03 +0000 


Webmail 


empty 


moi 


\ 


Zero 


Sun, 09 NOV 08 20:51:36 +0000 


Webmail 


empty 


moi 


\ 


Zero 


sun, 09 NOV 08 07:40:31 +0000 


Webmail 


empty 


ghr 


\ 


Poor 


Sun, 09 NOV 08 07:03:32 +0000 


POP3 


empty 


trirr o... 






J Selected folder: BIAT 



Some of the tabs have a drop-down list to refine the selection as described 
in the table below: 



All 



Webmail 




Webmail 


POP3 




POP3 


SMTP 




SMTP 


IMAP 




IMAP 


VolP/SIG 




VolP/SIG 


VolP/RTP 




VolP/RTP 


VolP 




VolP 


Chat 




Chat 


Http 




FTP 


FTP 




Telnet 


Telnet 

Search Enqine 




Search Enqine 



Mail VoIP Transfer 



IMAP 




VolP/SIG 


iTelnet 


POP3 




VolP/RTP 


Iftp 


SMTP 




VolP 




Webmail 
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Q The pre-dassified interception tabs cannot be closed!!! 
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2.2.3. Search Function 



The "Search" function is a text search engine that can help you to minimize 
the time required to find valuable information, and the amount of 
interceptions which must be consulted. 

Once a search is done, automatically, a new tab will be created as shown 
below, allowing you to work on it or to refine your search. When finish, click 
on the Close tab button tJ to close a Search result tab. 



S EAGLE 

dmes,g&y 



Search 

r 



=^F 



W Unread interceptions 
W Opened interceptions 
W Closed interceptions 
Filter 



Open tab: 



Selected folder: P 



Search Directives | All | All\Http | Mail | VoIP | Chat | Search Engine | Http | Transfer 



u 



Search in 




\+*\ 4 I 



Status ■ 



Unread 


Tue, 13 Jan 09 16: 15: 18 +0000 


Webmail 




a 




Unread 


Tue, 13 Jan 09 16:10:59 +0000 


Webmail 




n 





Page 1 







The " Search " function uses a list of common words that are not 
indexed such as for example "of", "the", "is" and so on. 
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The Search Query identify the desired concept that one or more email, 
attachment or chat may contain and is expressed as a set of words and 
operators such as: 

> AND terml AND 

term2 

Use the AND operator to search for interceptions that contain at least 
one occurrence of each of the query terms. 

For example, to obtain all the interceptions that contain the terms 
blue and black and red, issue the following query: 

blue AND b!ack AND red 



> OR terml OR 

term2 

Use the OR operator to search for interceptions that contain at least 
one occurrence of anv of the query terms. 

For example, to obtain all the interceptions that contain the term blue 
or the term black, issue the following query: 

blue OR black 



> NOT terml NOT 

term2 

Use the NOT operator to search for interceptions that contain one 
query term and not another . 

For example, to obtain the interceptions that contain the term blue 
but not the term black, issue the following query: 

blue NOT black 
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> EQUIV 

terml=ter 

m2 

Use the EQUIV operator to specify an acceptable substitution for a 
word in a query. 

The following example returns all interceptions that contain either the 
phrase "blue is a colour"or "black is a colour": 

blue=black is a colour 
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2.2.4. Filter Function 

An interception can have various statuses: 

> " Unread " until any operator open it for the first time 

> "Opened" when it has been opened but does not have "Relevance 

note" 

> " Closed " when any operator attributes to it " Relevance note" (Zero, 
Poor, Good or Very good). 



With the " Filter " function, you can filter interceptions according to their 
current status. For example, below are displayed only " Opened " and 



'Closed" interceptions. 



EAGLE 

c3me»s>ijs. 4 



Unread interceptions 
R Opened interceptions 
R Closed interceptions 



Filter 



Selected folderr P 



Search Directives All | AII\Http | Mail | VoIP | Chat | Search Engine | Http | Transfer | 






| All categories 



Z2 



All in 







■BffliffH 






Open 


Thu, 22 Jan 09 15:08:19 +0000 


Webmail 








Open 


Thu, 22 Jan 09 14:27:18 +0000 


Webmail 






\ 


Open 


Thu, 22 Jan 09 13:45:42 +0000 


Webmail 




:o... 


\ 


Open 


Thu, 22 Jan 09 10:34:47 +0000 


Webmail 




ff 


\ 


Open 


Thu, 22 Jan 09 10:11:55 +0000 


Webmail 






\ 


Zero 


Thu, 22 Jan 09 09:56:06 +0000 


Webmail 


PDF 


:o... 


\ 


Zero 


Thu, 22 Jan 09 07:58:15 +0000 


Webmail 


PDF 


:o... 


X 



Page 1 
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2.2.5. Graph+ (only for OC) 

In the case of an "Oper? Case" (OC) Process Folder, EAGLE system creates a 
" Graph+ " chart automatically, using information from every interception. 
The " Graph+ " is a graphical tool designed to display and to analyze the 
intelligence relating to an investigation in a visual form. It supports you in 
your analysis, helping to navigate through large networks of data and 
discover underlying interconnections quickly. 



Click the "Graph+" button. A new tab called "Graph" appears: 



EAGLE 

c3me>Sjig£> 1 



Filter 

W Unread interceptions 
W Opened interceptions 
W Closed interceptions 
Filter 




Search Directives | All | All\Http | Mail | VoIP | Chat | SearchEngine | Http | Transfer Graph 




When finish, click on the Close tab button íi to close a "Graph" tab. 
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From the Graph+, you can: 

> Center the chart on a particular ID or suspect by clicking on it and 
then on the "Center" button. 

> Remove an uninteresting node by clicking on it and then on the 
" Remove " button. The " Switch to full view" button allows you to 
display every node, even the previously removed ones. 

The colour of the nodes follows a convention: 




By clicking on a Suspect node, you can access to the Suspect information's: 
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EAGLE , 

dmesgs %• 



Search Directives 



| All | All\Http | Mail | VoIP | Chat | Search Engine | Http | Transfer | Graph 



SUSPECT 



General informations 



Nickname: 

Real fírstname 
Real name 
Primary Language: 
Priority: 



MAIL 

MAIL 



EMAIL_ADDR 

EMAIL_ADDR 



Selected folder: [ _ 
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2.2.6. Suspects (only for OC) 

In the case of an "Open Case" (OC) Process Folder, you can directly 
visualize only connections between suspects. 

Click on the "Suspects" button. A new tab called " Suspects " appears as 




When finish, click on the Close tab button S to close a "Suspects" tab. 



Reference: EAGLE / MAN-EAGLE-OPERATOR 
Version 1.0 - 19/03/09 
Page 23/66 

This document is AMESYS property. It cannot be copied nor communicated to a third party without AMESYS written authorization. 







EAGLE GLINT - OPERATOR MANUAL 



As for the Graph+, by clicking on the link between suspects, you can directly 
visualize their communications: 



EAGLE 

c3me»s>Lgs>^ 



W Unread interceptions 
W Opened interceptions 
W Closed interceptions 
Filter 



Selected folder: 



Search Directives | All | All\Http | Mail | VoIP | Chat | Search Engine | Http | Transfer | Suspects Link | 






and suspect 



m ■ 



í^rri 



STATUS 3 


Timestamp 


Category 


Relevance Note 


Detail 




Unread 


Thu, 22 Jan 09 10:50:44 +0000 


POP3 




:.com... 


\ 


Unread 


Thu, 22 Jan 09 10:50:44 +0000 


POP3 




:.com... 


\ 


Unread 


Thu, 22 Jan 09 10:50:44 +0000 


POP3 




:.com... 


\ 


Unread 


Thu, 22 Jan 09 10:40:51 +0000 


POP3 




:.com... 


Q^ 


Unread 


Thu, 22 Jan 09 10:40:51 +0000 


POP3 




:.com... 


Q^ 


Unread 


Thu, 22 Jan 09 10:40:51 +0000 


POP3 




:.com... 


Q^ 


Unread 


Thu, 22 Jan 09 10:40:51 +0000 


POP3 




:.com... 


\ 



Page l 



E 



When finish, click on the Close tab button S to close a "Liní c"tab. 
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2.2.7. No-Interest popup 



At any time, you can report uninteresting IDs to your Superuser through 
the "No-Interest" popup. 

Move the mouse over the " No-Interest (Mouse here to focus)" title at the 
top of the workspace to display the popup window. 

From the drop-down lists, select respectively the type of ID (email address, 
Phone number or ISP account), the operator ( = , BEGINS_WITH or 
ENDS_WITH) and type the appropriate ID in the text box. 



5 EAGLE 

dmesgsf» 



Search Directives AU | All\Http | Mail | VoIP | Chat | Search Engine | Http | Transfer | 



Interception 



Send the followinq ID: 
' Email address ^ | = 



V_y TLM J 



Unique identifler 


0000001e766f4912520000fffd3e0100 


Type 


Mail 


Category 


Webmail 


Date 


Thu, 15 Jan 09 20:46:09 +0000 


Transcoding status 


Not transcoded 


TCP Informations 





window (printer-friendly) 




z\ 



ISP_ID 

LANG 



Selected folder: BIAT 



wisam2mi 

Norwegian 






From: 


Unknown (see above) 


To: 


Unknown (see above) 




Display mail in a separate 


SOCIÉTÉ APS 

www. ap-securite. com 





Click the " Send ..." button to send your suggestion to the Superuser. A 
confirmation message is displayed: 
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ID has been sent 
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2.2.8. Warnings popup 

The "Warnings" popup window is an information area alerting you when at 
least one new interception is available in any of your OC Process Folders. 



EAGLE . 

dmpsgsf» 



Search Directives | All | Al\Http | Maí | VoIP | Chat | Search Engine | Http | Transfer | 



06 / 10/08 11 : 07:10 



Search directives for 

H 



II II 




In addition, a window is regularly displayed: 
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2.3. Personal Information Management (PIM) 

The "Personal Information Management (PIM)" module permits to the 
logged Operator to change his password to access to the EAGLE's MMI. 

In the two text boxes, enter the password you would like to start using. 
Entering the password twice helps to make sure that you typed your new 
password correctly. Click the " Change password" button to confirm your 
changes. 




'jJ Home (WEL) 



Personal Information Management (PIM) 



New Interception 



Manager (NIM) 

^ unUNCATCHED 
NI NI 





Password: 

Confirm your password: 
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Now that your logon password has been changed, you must use your new 
password to log on to EAGLE's MMI from this point forward. 




Changing your logon password regularly is a good habit to help keep 
your access secure. 
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3. INTERCEPTIONS ANALYSIS 

3 . 1 . Methodology 



Open Case 



Graph+ 



Remove uninteresting nodes 



m- 



: \l one — 




1 




General Search 

GS 


■ InOíIC w 




Search Directives 




1 . Pre-seleded interception T abs 

2. Interception’s list refresh 

3. (Filter Tool if needed) 

4. (Search T ool if needed) 

5. View interception 



w 


Interci 

r 


f 

gption 


W 






nterceptions 



Transcription 




1 . Open T ransaiption 

2. Title 

3. T ranslation Of needed) 

4. Named entities 

5. Operational summary 
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3.2. COMPONENTS AND T ERMINOLOGY OF AN INTERCEPTION 

The interception view is made of: 

> A toolbar including three buttons (Back, Print and Refresh) 

> The " Technical Data" table 

> The " Technical Specific Data" table (changing according to the 
category of the interception) 

> The " Extra Data" table(optional) 

> The " This is a spam, send it to spamfilter" button for Junk e-mail 
Reporting 

> The content of the interception (changing according to the category of 
the interception) 

> The " Relevance Note" made of a text box and four buttons for 
ranking. 

The diagram below illustrates the components and the terminology used in 
this view: 
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Opentab: 



Geolocalizationpopup 



Junk e-mail Reporting button 



Content of the interception 



Searc 1 Directi' es 



All | AII\Http | Mail | VoIP | Chat j Search Engine | Http | Transfer | 



Filter 

[7 Unread interceptions 
P Opened interceptions 
W Closed interceptions 
Filter 



Unique identifier 
Type 
Category 
Date 

Transcoding status 
TCP Informations 



Interception (Open) 



0000000afb764913430000d70e540300 

Mají 

Webmail 

Thu, 22 Jan 09 10:36:24 +0000 
Not transcoded 




Relevance Note— 



Open transcription - 



Selected folder: 



► Open Transcription 
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3.2.1. Technical Data 

Every interception will have a "Technical Data" table as the one shown 
below: 





Technical data 


Unique identifier 


0000000afb7649131000001703600300 


Type 


Mail 


Category 


POP3 


Date 


Thu, 22 Jan 09 10:50:44 +0000 


Transcoding status 
TCP Informations 


Not transcoded 



> Unique identifier 

a unique hexadecimal number which is assigned by EAGLE to identify an 
interception 

> Type and Category 

Classification of the interception 

> Date 

Accurate date and time of the interception expressed in UTC 
(Coordinated Universal Time) time standard. 

> Transcoding status 

Only VoIP communications need Transcoding. 

> TCP Informations 



xx. xxx. 250.1 
00 


110 


> 


xx. xxx. 121.1 
27 


1142 


From 




To 


IP address 


Port 




IP address 


Port 



In addition, by moving the mouse over every IP address, a Geolocalization 
popup window appears with the accurate coordinates: 
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Unique identifier 
Type 
Category 
Date 

Transcoding status 
TCP Informations 



0000002cale04820030000c0df0b0000 

Maií 



POP3 

Wed, 17 Dec 08 21:47:24 +0000 
Not transcoded 



Reference: EAGLE / MAN-EAGLE-OPERATOR 
Version 1.0 - 19/03/09 
Page 34/66 

This document is AMESYS property. It cannot be copied nor communicated to a third party without AMESYS written authorization. 






EAGLE GLINT - OPERATOR MANUAL 



3.2.2. Technical Specific Data 



Every interception will have a "Technical Specific Data" table but the fields 
can be different: 



For further details, please see the paragraphs dedicated to each category of 
interceptions. 

3.2.3. Extra Data 

For every interception, EAGLE system extract automatically some 
interesting data from the content itself such as email address, telephone 
number and ISP ID. 

The result appears in the "Extra data" table: 



EMAIL_ADDR 

EMAIL_ADDR 

EMAIL_ADDR 

EMAIL_ADDR 

EMAIL_ADDR 

LANG 

EMAIL_ADDR 

EMAIL_ADDR 

EMAIL_ADDR 

EMAIL_ADDR 

EMAIL_ADDR 

EMAIL_ADDR 

EMAIL_ADDR 

EMAIL_ADDR 

EMAIL_ADDR 

EMAIL_ADDR 

EMAIL_ADDR 

EMAIL_ADDR 

EMAIL_ADDR 

EMAIL_ADDR 

EMAIL_ADDR 

EMAIL_ADDR 

EMAIL_ADDR 

EMAIL_ADDR 

ISP_ID 

EMAIL_ADDR 

EMAIL_ADDR 

EMAIL_ADDR 

EMAIL_ADDR 

EMAIL_ADDR 

EMAIL_ADDR 

EMAIL_ADDR 

EMAIL_ADDR 

EMAIL_ADDR 



The extra data supports you in your analysis, helping to report every 
interesting IDs for improvement of further interception. 
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Caller 

Callee 

Call duration 
End status 



16 ml 6 s 

COMPLETED 
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Moreover, in the case of an Open Case Process Folder, "Extra data" are 
used in "Graph +" to discover underlying interconnections quickly. 
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3.2.4. Relevance note 

The " Relevance note" tool is located at the end of each interception page 
and is made of an "Header" text box and four " Ranking " buttons as shown 
on the picture below: 

^ Relevance note ^ 

Good | Poor | Zero | 



As Operator, you must associate an individual evaluation to each 
interception including a concise, clear and complete title and a content 
ranking based on the " Search Directives" criteria: 




Good 



Very 

Good 



Junk content 

Communication not related to the Search 
Directives 

Communication related to the Search Directives 
Content is top importance 



Thus, it makes possible for the Superuser to quickly select the interceptions 
he is likely to want to see. 



Note that each time you attribute a "Relevance note" to an interception, the 
interception tables of each pre-classified tabs are updated: 



Status 1 




Category 


Relevance Note __ 


Detail 




Good 


Thu, 22 Jan 09 16:50:30 +0000 


POP3 


Conference 


\ 


Zero 


Thu, 22 Jan 09 15: 08: 19 +0000 


Webmail 


Advertising 


\ 


Zero 


Thu, 22 Jan 09 15:08: 19 +0000 


Webmail 


Chat 


\ 


Zero 


Thu, 22 Jan 09 14:27:22 +0000 


Webmail 


Advertising 


\ 


Zero 


Thu, 22 Jan 09 14: 15:06 +0000 


Webmail 


Empty 


\ 


Very Good 


Thu, 22 Jan 09 10:34:51 +0000 


Webmail 


Names 


\ 


Zero 


Thu, 22 Jan 09 09:56:06 +0000 


Webmail 


PDF 


\ 


Zero 


Thu, 22 Jan 09 07: 58: 15 +0000 


Webmail 


PDF 

i 


\ 




Always fill in first the Header then dick one of the Ranking buttons 
because when ranking is chosen, you: 
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- cannot go back to fill the Header 

- cannot modify your ranking. 
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3.2.5. Transcription 



You must associate to each interception ranked as "Gooc/" or "Very Good" a 
transcription. 

Click on the " Open Transcription" link at the end of each interception page. 
A " Transcription " page opens, similar to the one below: 




A typical transcription includes: 

> A list of"Named Entities” such as names, geographic places ... 

> A complete " Translation ” of any written text or a complete 
transcription and translation (if needed) of any voice 
communication 
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> A short summary of content (answers to Who, What, When with no 
details or parenthesis). 

At any time, a transcription can be modified. When finished, click the 
" Create ..." button. 
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3.3. Categories of Interception 
3.3.1. Mail 



Below is a typical " Technical Specific Data" table in the case of a Mail 
interception: 



Technical specific data 
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3.3.2. VoIP 

Below is a typical "Technical Specific Data" table in the case of a VoIP 



interception: 



Technical specific data 


Caller 






Callee 




! 


Call duration 


16 ml 6 s 




End status 


COMPLETED 






3.3.3. Chat 

Below is a typical " Technical Specific Data" table in the case of a Chat 
interception: 



Technical specific data 



Login 

participants 



CONTACTS CHAT 



[Sat, 15 Nov 08 22:09:38 +0000; 
no again 

[Sat, 15 Nov 08 22:09:40 +0000; 
ok 

[Sat, 15 Nov 08 22:09:41 +0000; 
ill go too 

[Sat, 15 Nov 08 22:09:55 +0000; 

ok maybe tomorrow or later 
[Sat, 15 Nov 08 22:10:03 +0000; 

if i finished earlier _i 

[Sat, 15 Nov 08 22:10:04 +0000; 
ok 

fSat, 15 NOV 08 22:10:12 +0000 - z\ 



Reference: EAGLE / MAN-EAGLE-OPERATOR 
Version 1.0 - 19/03/09 
Page 42/66 

This document is AMESYS property. It cannot be copied nor communicated to a third party without AMESYS written authorization. 







EAGLE GLINT - OPERATOR MANUAL 



3.3.4. Http 

Below is a typical "Technical Specific Data" table in the case of a Http 
interception: 




3.3.5. Search Engine 

Below is a typical " Technical Specific Data" table in the case of a Search 
Engine interception: 




3.3.6. Transfer 

Below is a typical "Technical Specific Data" table in the case of a Transfer 
interception: 



Technical specific data 


Login 

Password 


Files #0 


Filename 


/Nero Web/Int_AIIFiles.info 


Filesize (bytes) 


614 




Files #1 


Filename 


/Nero Web/Nero 7.vinf 


Filesize (bytes) 


2116 




Files #2 


Filename 


/Nero Web/Nero 7/Cab/Int_AIIFiles.info 


Filesize (bytes) 


123472 




Files #3 


Filename 


/Nero Web/Nero 7/Int_AIIFiles.info 


Filesize (bytes) 


2202 




Files #4 


Filename 


/Nero Web/Nero 7/Redist/Config/Int_AIIFiles.info 


Filesize (bytes) 


79 




Files #5 


Filename 


/Nero Web/Nero 7/Redist/DirectX/Int_AIIFiles.info 


Filesize (bytes) 


533 




Files #6 


Filename 


/Nero Web/Nero 7/Redist/Int_AIIFiles.info 


Filesize (bytes) 


396 




Files #7 


Filename 


/Nero Web/Nero 7/Setup/Int_AIIFiles.info 


Filesize (bytes) 


1764 




Files #8 


Filename 


/Nero Web/Nero 7/Setup/fminf.fml 


Filesize (bytes) 


85 




Files #9 


Filename 


/Nero Web/Patches/Int_AIIFiles.info 
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4. FREQUENTLY ASKED QUESTIONS (FAQ) 

4.1. Firefox Messages 

4.1.1. Secure Connection Failed 

Firefox uses certificates on secure websites (those that start with https:) to 
ensure that your information is being sent to the intended recipient and 
can't be read by eavesdroppers. To keep you secure, Firefox will warn you if 
there's a problem with a site's certificate. EAGLE site is legitimate; you can 
tell Firefox to bypass these warnings. 



On the warning page, click "Or you can add an exception...". 



f \ 

Secure Connection Failed 

172. 17.0. 150 uses an invalid securit/ certificate. 

The certificate is not trusted because it is self signed. 

The certificate is only valid for localhost. 

The certjficate expired on 14/02/2008 18:52. 

(Error code: sec_error_expired_issuer_certificate) 



■ This could be a problem with the server’s configuration, or it could be someone 
trying to impersonate the server. 

■ If you have connected to this server successfully in the past, the error may be 
temporary, and you can try again later. 

Or vou can add an exception... 

v > 




Click "Add Exception 
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f \ 

Secure Connection Failed 

172. 17.0. 150 uses an invalid securit/ certificate. 

The certjficate is not trusted because it is self signed. 

The certificate is only valid for localhost. 

The certificate expired on 14/02/2008 18:52. 

(Error code: sec_error_expired_issuer_certificate) 

■ This could be a problem with the server's configuratiorij or it could be someone 
trying to impersonate the server. 

■ If you have connected to this server successfully in the past, the error may be 
temporary, and you can try again later. 



You should not add an exception if you are using an internet connection that you do not trust 
completely or if you are not used to seeing a warning for this server. 

Get me out of here! Add Exception... I 



v > 
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The "Add Security Exception" dialog will appear. 




Click "Get Certificate". 




Click "Confirm 



Security 



Exception". 
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4.1.2. Offline Mode 

Firefox has an offline mode where it does not try to use the Internet. If 
your Firefox is in offline mode, it will show "Offline mode" message when 
you try to use EAGLE's MMI. 

To turn off offline mode, open the "FHe" menu. If there is a check mark 
beside "Work Offline", click "Work Offline" to remove the check mark. If 
there's no check mark, Firefox is not in offline mode. 
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4.2. EAGLE Messages 

4.2.1. Interception locked by someone else 

When an interception is opened for the first time by an Operator (you or 
somebody else), its current Status is changed for "Open" and a mechanism, 
called Lock, is applied for enforcing limits on its access. This is done to 
avoid concurrency ranking of an interception. 



Then, the owner of the Lock become the "owner" of the interception and all 
other operators will have a read-only access until the Lock will be released. 
This will be done when the owner of the Lock will rank the interception. 



S EAGLE 

amesgs 




Search Directives | All | All\Http | Mail | VoIP | Chat | Search Engine | Http | Transfer | Graph 



Interception (Open) 




Unique identifler 
Type 
Category 
Date 

Transcoding status 
TCP Informations 



0000002cale04820000000f6d50e0000 

Http 

Http 

Wed, 07 Jan 09 16:00:55 +0000 




Request #0 



Server 

URI 




Open Transcription 



Selected folder: 
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Via his MMI, the Superuser can know who is the owner of a Lock. 

© 
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4.2.2. At least 2 suspects are needed, sorry 



The "Suspects" tab displays only connections between suspects. You obtain 
the " At least 2 suspects are needed, sorry" message when one or fewer 
Suspects are linked to your current OC Process Folder: this is normal. 




If you report new IDs through the " Named Entities" of your "Transcription” , 
your Superuser will create new Suspects and linked them to your OC 
Process Folder. Then, when at least two Suspects will be linked on it, you 
will be able to use the " Suspects ” tab. 
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4.2.3. Too many nodes 



EAGLE . 

amesgs %• 



W Unread interceptions 
W Opened interceptions 
W Closed interceptions 
Filter 



Selected folder: 



Search Directives | All | All\Http | Mail | VoIP | Chat | Search Engine | Http | Transfer | Suspects Graph | 

Graph in HQl- 



(Simplified) 



Too many nodes (80) (please reduce it by grouping into suspects or hidding them) 
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4.2.4. Cannot retrieve mail 

Please alert your Superuser as soon as possible. 



EAGLE 






Search Directives AU | AIRHttp | Mail | VoIP | Chat | Search Engine | Http | Transfer | 




m 



Interception (Open) 



Unique identifier 
Type 
Category 
Date 

Transcoding status 
TCP Informations 


0000000afb764913370000el5c330400 

Mail 

Webmail 

Thu, 22 Jan 09 15:00:50 +0000 
Not transcoded 




From: 




To: 


, i 


Subject: 


1 



LANG 

ISP_ID 



spam, send itto spamfilter 





Cannot retr 




ail 



Relevance note 



Very Good 



”” Good” - 



Open Transcription 
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4.2.5. Cannot change password 

When you set a password, you must always type the password twice to 
confirm it. You did this, but the two passwords you typed do not match. 



EAGLE , 

amesgsf» 






New Interception 
Manager (NIM) 

* unUNCATCHED 
NI NI 



No-Interest (Mou 

Cannot change password 



nings (Mouse here to focus): 



Personal Information Management (PIM) 



Change my password 



Password: 


1 


Confirm your password: 


1 


I Change password j 



Just type carefully the password twice again. 
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4.3. Cases Study 
4.3.1. Junk e-mail 

E-mail spams, also known as Junk e-mails, are identical messages sent to 
numerous recipients by e-mail. Below is an example of spam: 



Play with 555€ of Royal Club Casino's money! 

Yes indeed, Royal Club Casino is giving away its money and today it's yourturn to get some. Open an account with Royal Club and you can receive up to 555€ free! So 
this is how itworks: 

First deposit: 300% bonus worth up to 300€ 

Second deposit: 100% bonus worth up to 100€ 

Third deposit: 155% bonus worth up to 155€ 

Not only will you receive this royal bonus, butyou will also getthe widest choice of realistic and exciting games available on the market, including slots, video poker, 
roulette and blackjack. 

http : //www . re a I wave c a s i n o . c o m/ 

Getthe Royal treatmentyou deserve! 



EAGLE has its own e-mail spam filtering based on content-matching rules 
which are applied to determine whether an email is "spam" or " ham " (non- 
spam messages). Most rules are based on regular expressions that are 
matched against the body or header fields of the message. Usually a 
message will only be considered as spam if it matches multiple criteria. 

EAGLE's spamfilter tries to reinforce its own rules. Typically, when you 
attribute a " Relevance note" you feed example of ham (useful) mails to the 
spamfilter: 






And when you click on the "This is spam, send it to spamfilter" button, you 
feed example of spam mails. 



From: 

To: 

Subject: 

Date 



Play with 555 Euro of Royal Club Casino's money! 
Sat, 24 Jan 2009 20: 16:34 +0900 



Display mail in a separate window (printer-ffiendly) 
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Then the spamfilter can learn the difference between the two. 
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4.3.2. e-Newsletters, Alerts ... 

Do not confused junk e-mail with a solicited mail such as e-Newsletters or 
the Google Alert below to which it is necessary to subscribe. 



From: Google Alerts <googlealerts-noreply@google.com> 

To: 

Subject: Google Alert - BP SHARE PRICE 

Date Mon, 19 Jan 2009 16: 11:54 +0000 

Display mail in a separate window (printer-ffiendly) 




Google News Alert for: BP SHARE PRICE 




FTSE up on comods but RBS blunts bank bailout boon 
guardian.co.uk - UK 

Heavyweight energy stocks added most points to the index as the price of crude steadied around $36 a 
barrel. BG Group, BP and Royal Dutch Shell gained ... 

See all stories on this topic 




Four of Mv Favorite Stocks 

Seeking Alpha - New York.NY.USA 

1 own stock in each ofthese companies and have never sold a shaie. 1 look to add to my positions 
when 1 think the prices are cheap 

See all stories on this tooic 




New£200bn bailoutforUK banks 
This is Money - UK 

The method of gambling on share price falls was widely blamed for a series of slumps in banks' share 
prices last summer and autumn, most notably at HBOS. ... 




Alliance Meet Alaska 

Alaskajournal.com - Anchorage.AK.USA 

Speakers at this vear's event include senior executives with the maior North Slope producinq 





Nevertheless, emails such as e-Newsletters or Alerts can often, but not 
always, be reported to your Superuser as not-Interesting e-mails. As 
counterexample, consider the following e-Newsletter from a specialized 
website: 



From: 

To: 

Subject: 

Date 



Gulf in the Media News Alert - December 18, 2008 
Thu, 18 Dec 2008 13:42:52 +0400 

Display mail in a separate window (printer-friendly) 



For details of these and other stories on the Gulf, log on to 

vavw. .gulfíntherne dia. c orn 



Top Headlines Decembei 18. 2008 



Bahrain arrests group suspected ofplanning attack 




A group planning a terrorist attack in the Gulf state of Bahrain has been arrested, 
the state security authority said in a statement on "Wednesday.... 



r 



Bush touts relations with Pakistan. Saudi Arabia 



President George W. Bush said on Wednesday he is leaving to his 
successor a stronger anti-terrorism partnership with Pakistan and Saudi 
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4.3.3. Notifications 



The original SMTP mail service provides limited mechanisms for tracking a 
sent message, and none for verifying that it has been delivered or read. It 
requires that each mail server must either deliver it onward or return a 
failure notice (Bounce message), but both software bugs and system 
failures can cause messages to be lost. To remedy this, Delivery Status 
Notifications (DSN also called Delivery receipts) and Message Disposition 
Notifications (MDN also called Return receipts) are used. 

Errors can occur at multiple places in mail delivery. A sender may 
sometimes receive a bounce message from the sender's mail server, and 
other times from a recipient's mail server. That happens because when a 
server accepts a message for delivery, at the same time it takes the burden 
to send a DSN in case the delivery fails. 

There are many reasons why an e-mail may bounce. One reason is if the 
recipient address is misspelled, or simply does not exist on the receiving 
system. This is a user unknown condition. Other reasons include resource 
exhaustion, such as a full disk, or the rejection of the message due to spam 
filters. In addition, there are MUAs that allow users to bounce a message on 
demand. 

Bounce messages in SMTP are sent with the envelope sender address <>, 
known as the " null sender address". They are frequently sent with a "From" 
header address of MAILER-DAEMON at the recipient site. 




From: 

To: 

Subject: 



<> 



failure notice 




From: 

To: 

Subject: 



Warning: could not send message for past 4 hours 
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Typically, a bounce message will contain several pieces of information to 
help the original sender in understanding the reason his message was not 
delivered: 

- The date and time the message was bounced, 

- The identity of the mail server that bounced it, 

- The reason that it was bounced (e.g. user unknown or mailbox full), 

- The headers of the bounced message, 

- Some or all of the content of the bounced message. 
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Below are different examples of notifications: 



From: 

To: 

Subject: failure notice 

Date 3 Sep 2008 10:54:08 -0000 

Display mail in a separate window (printer-friendly) 

Hi. This is the qmail-send 



From: Unlcnown (see above) 

To: Unknown (see above) 

Display mail in a separate window (printer-friendly) 
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4.3.4. Placeholder in a message 

To protect your privacy from junk e-mail senders, some e-mail client such 
as Microsoft Office Outlook are configured by default to block image 
downloads from the Internet. Then, a blocked image appears as a 
placeholder indicating an image can't be displayed. 



From: Unknown (see above) 

To: Unknown (see above) 

Display mail in a separate window (printer-friendly) 




Make 20% Yields from Our Vegetable 
Economy 

By Tom Dyson 

Traders called it the "Greenspan Put." 

During the 1980s and 1990s, the Federal Reserve adopted an unofficial 
"bailout" policy. Whenever a crisis occurred, Fed Chairman Alan Greenspan 
would cut interest rates and inject billions of dollars of extra credit into the 
system. This "re-juiced" the markets, making them rise again. 






Traders buy put options to protect themselves from catastrophe. Put options Go | d ma y ave rage higher for each of 

are like insurance. With the Greenspan Put in place, traders felt j:omfortable the next three y ears and dimb to a 
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5. GLOSSARY 



ADSL Asymmetric Digital Subscriber Line 

Data communications Technology that enables faster data 
transmission over copper telephone lines than a 
conventional voice band modem can provide. 

Bounce An automated electronic mail message from a mail system 

message informing the sender of another message about a delivery 

problem. The original message is said to have bounced. 

DSN Delivery Status Notification 

See Bounce message. 

e-Newsletter A regularly distributed publication via email, generally 
about one main topic that is of interest to its subscribers. 

File Transfer Protocol 

Internet standard protocol used to transfer data from one 
computer to another through a network such as the 
Internet. 



GS 

H.323 



Ham 

HTTP 

IMAP 



General Search 

Category of EAGLE Process Folder, dedicated to 
unidentified target or broad group. 

H.323 is an ITU-T Recommendation that defines the 
protocols to provide audio-visual communication sessions 
on any packet network. 

It is widely deployed worldwide by service providers and 
enterprises for both voice and video services over Internet 
Protocol (IP) networks. 

Non-spam message. 

Hypertext Transfer Protocol 

Internet standard protocol used for retrieving inter-linked 
text documents (hypertext) via the Internet. 

Internet Message Access Protocol 

Internet standard protocol used by local e-mail clients to 
retrieve e-mail from a remote server over a TCP/IP 
connection. 



IP address Internet Protocol address 

Numerical identification (logical address) that is assigned 
to devices participating in a computer network using the 
Internet Protocol for communication between its nodes. 



ISP 



Internet Service Provider 
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MGCP 

MIME 



Company that offers to its customers access to the 
Internet. 

Media Gateway Control Protocol 

Signalling and call control protocol used within a 
distributed Voice over IP system. 

Multipurpose Internet Mail Extensions 

Internet standard that extends the format of e-mail to 
support: Text in character sets other than ASCII, Non-text 
attachments, Message bodies with multiple parts and 
Header information in non-ASCII character sets. 
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MMI 

MUA 

NDN 

NDR 

NI 

NIM 

OC 

Paltalk 

PIM 

POP3 



Man-Machine Interface 

Aggregate of means by which the users interact with the 
EAGLE system. 

Mail User Agent also known as E-mail client 

Front-end computer program used to manage e-mail. 

Non-Delivery Notification 

See Bounce message. 

Non-Delivery Report/Receipt 

See Bounce message. 

Not-Interesting 

EAGLE Process Folder, dedicated to targets identified as 
uninteresting. 

New Interception Manager 

EAGLE Module containing the different Process Folders 
allocated to the Operator by a Superuser. 

Open Case 

Category of EAGLE Process Folder, dedicated to well- 
known and identified target. 

Paltalk is an internet chat service for text, voice and video 
chatting. The Paltalk Messenger program is only available 
to users of Microsoft Windows. 

Personal Information Management 

EAGLE Module permitting to the logged user (Operator or 
Superuser) to change his password to access to the Eagle 
User Interface. 

Post Office Protocol version 3 

Internet standard protocol used by local e-mail clients to 
retrieve e-mail from a remote server over a TCP/IP 
connection. 



Protocol Convention or standard that controls or enables the 

connection, communication, and data transfer between two 
computing endpoints. 

Proxy server Server (a computer system or an application program) 
that forwards the requests of its clients to other servers. 



Remailer Server that receives messages with embedded instructions 

on where to send them next, and which forwards them 
without revealing where they originally came from. 



RTP 



Real-time Transport Protocol 
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SIP 



SMTP 



Internet standard protocol used for audio and video 
Transmission over the Internet. 

Session Initiation Protocol 

Signalling protocol, widely used for setting up and tearing 
down multimedia communication sessions such as voice 
and video calls over the Internet. 

Simple Mail Transfer Protocol 

Internet standard protocol used for e-mail Transmission 
over the Internet. 
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SPAM Also known as junk e-mail 

Unsolicited identical messages sent to numerous 
recipients. 

TCP Transmission Control Protocol 

One of the cores Internet standard protocols, providing 
reliable, ordered delivery of a stream of bytes from one 
program on one computer to another program on another 
computer. 

Transcoding The direct digital-to-digital conversion of one encoding to 
another. 

UN Uncatched 

EAGLE Process Folder, dedicated to interceptions that 
correspond to no rules of interceptions. 

URI Uniform Resource Identifier 

Compact string of characters used to identify or name a 
resource on the Internet. The main purpose of this 
identification is to enable interaction with representations 
of the resource over a network, typically the World Wide 
Web (WWW). 

VoIP Voice over Internet Protocol 

Family of transmission Technologies used for Voice 
Communications over the Internet. 



Webmail Also known as Web-based mail 

Email service intended to be primarily accessed via a web 
browser, as opposed to through an email client, such as 
Microsoft Outlook or Mozilla's Thunderbird. Very popular 
webmail providers include Gmail, Yahoo! Mail, Hotmail and 
AOL. 
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